Microsoft and Adobe Patch 100+ Bugs in December

There’ll be plenty for system administrators to do right up to the end of the year with Microsoft’s latest patch update round featuring fixes for nine critical vulnerabilities including one zero-day bug.

The 39 flaws reported by the computing giant on Tuesday paled in comparison to the 87 posted by Adobe and represent a relatively light load, but there are important caveats.

The main one is CVE-2018-8611, an elevation-of-privilege (EoP) bug that affects all supported operating systems from Windows 7 to Server 2019, enabling an attacker to run arbitrary code in kernel mode.

“To exploit this vulnerability, an attacker would first have to log on to the system. An attacker could then run a specially crafted application to take control of an affected system,” explained Microsoft.

“An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

Another one to note is CVE-2018-8517, a publicly disclosed flaw which could allow a DoS attack in .NET web apps.

“The vulnerability can be exploited remotely without authentication by issuing a specially crafted request to the vulnerable application,” explained Ivanti’s Chris Goettl.

“The vulnerability is rated as important likely due to complexity to exploit, but it has been publicly disclosed, meaning enough information has been revealed to the public to give a threat actor a head start on creating an exploit to take advantage of the vulnerability.”

Allan Liska, senior solutions architect at Recorded Future, also pointed to a critical heap overflow vulnerability in Microsoft’s DNS Server (CVE-2018-8626), and several critical flaws in the Microsoft Edge Chakra Core scripting engine.

“This is the now the 15th straight month that Microsoft has disclosed a vulnerability in the Chakra scripting engine, the last Patch Tuesday without a Chakra disclosure was September of 2017,” he explained.

This month’s Chakra memory corruption vulnerabilities (CVE-2018-8583 and CVE-2018-8629) would allow an attacker to execute arbitrary code on the victim’s machine.

Experts also urged firms to apply Adobe’s patches, especially those for CVE-2018-15982 and CVE-2018-15983, two critical Adobe Flash zero-day vulnerabilities being actively exploited in the wild.